August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and Communications UC Office of the President

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Workgroup Universitywide work group created to recommend initiatives to: –reduce number and severity of future security breaches –identify policy and best practices for education, technology

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Subgroups 1.more effective handling of security incidents 2.protection of sensitive data on desktops, laptops and portable devices 3.communications/ education 4.leadership / accountability

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Final Report Focus on “restricted data” Initiatives identified for: –Leadership - must ensure IT security throughout UC –Management - must ensure the safeguarding of restricted data

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Roles and Responsibilities leadership - initiate mandates to campuses individuals – identifies requirements for accountability units – administering data access policies, permissions, enforcement with standards, conducting security audits …

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Roles and Responsibilities units – assign responsibility for security programs, maintaining data inventories, setting departmental guidelines, procedures, proper handling of security incidents and implementing remediation

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Roles and Responsibilities campus-wide responsibilities –campus guidelines and standards –infrastructure management, such as networks and identity management –data stewardship, protection and management organizations –engage controllers and risk managers

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Roles and Responsibilities university-wide responsibilities –manage an insurance-like fund to reduce local liability costs –provide clear guidelines for handling incidents –pilot audit and forensics teams –data risk management program to support campuses

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Communication and Education launch system-wide campaign to raise awareness campus urged to send communications to their constituencies create training modules adaptable to campus learning environments

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Policy and Compliance Programs revise IS-3 to include –minimum security requirements –standards for allowable use of restricted data –guidelines for security incident handling

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Management Initiatives conduct risk assessments –identify all resources that store or transmit restricted data –identify threats and vulnerabilities implement security plan appropriate to the environment

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Security Plans outline processes and controls needed to enhance security –identify rights of access to data –implement strategies to protect data –train staff improve security incident procedures

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Strategies for Securing Restricted Data encryption must be used –for transit –storage on devices when physical security cannot be provided campuses must implement connectivity standards

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Strategies for Securing Restricted Data minimize storing on devices employ network management tools, such as firewalls, IDS system, vulnerability scanning, and VPNs focus on log management strategies employ appropriate authentication and access controls

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Strategies for Securing Restricted Data implement and test back up controls ensure robust systems management for applications and systems, such as anti-virus and security patch management, close ports, turn off unused services, operate change monitoring tools operate firewalls at both system and network

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Effective Handling of Incidents establish standard incident response procedures conduct appropriate post-security breach investigations recommendations for forensics guidance

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Recommendations Leadership: develop systemwide and campus guidelines University-wide –UC-wide communication campaign –Create templates for communications

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Recommendations Training: create Web-based training module for general purpose use Security Incidents: establish and communicate guidelines for log management

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Recommendations Contract for forensics tools and services Create University-wide security audit and forensics teams Update IS-3

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Recommendations Campus security programs –identify responsible party for oversight –develop campus security programs Encryption –promote campus-wide encryption services –select and contract for tools and technologies

August 9, 2005 UCCSC IT Security at the University of California A New Initiative When will this happen? August - report distributed to Chancellors September - Council of Chancellor’s agenda for discussion and identification of next steps